Widespread Threats Target Automotive Companies

The technology footprint of today’s automobiles surpasses that of our laptops and other devices: The typical personal computer operating system runs on 20 million to 50 million lines of code. But each car requires an estimated 100 million lines of code to support the more than 125 electronic control units (ECUs) in every vehicle, and that number is expected to need to rise to 500 million in the near future. By 2025, 470 million connected vehicles driven worldwide will each produce 25 gigabytes of data per hour.

While these advancements make our cars smarter and safer while enhancing the in-vehicle experience, they are also introducing new opportunities for cyberattacks. Hackers are increasingly targeting the automotive industry, and even vehicles themselves, as they search for openings created by these innovations. In addition, the sector’s dependence on lengthy, complex and interconnected supply chains expands its attack vectors. Honda, Volkswagen, Renault and Kia have all fallen victim to highly publicized ransomware incidents, and Ford, Volkswagen and Tesla faced potentially major exposures due to significant vulnerabilities.

Like every other sector, the industry is aggressively pursuing a digital transformation. But a recent CybelAngel investigation report reveals that at the same time it is collectively failing to adequately enforce cybersecurity policies, practices and controls. To produce the report, CybelAngel analysts deployed data breach prevention, asset discovery/monitoring and account takeover prevention tools to examine 14 leading automotive companies in the first half of 2021. The report concludes that these companies remain extremely vulnerable to data breaches, ransomware and supply chain attacks due to the following unaddressed risks:

Data leaks. The investigation found both internal and supply chain data leaks. A Japanese auto manufacturer, for example, internally leaked data within file servers, email exchange servers, databases, pastebins and internet of things (IoT) devices. These vulnerabilities enable crimes such as intellectual property theft, corporate espionage and fraud. Another brand was linked to a cloud bucket which exposed five million files related to commercial details, email exchanges, contracts, invoices and technical data.

On the supply chain side, analysts discovered a single vendor had leaked nearly 200 pages of blueprint data detailing facility infrastructure and security system specifications. An electrical facilities and management company exposed documents from five different automotive brands, including technical drawings, manufacturing tools/individual components blueprints, contracts and invoices. Blueprint and manufacturing leaks can expose operational technology (OT) and access points throughout a facility, which adversaries can leverage to infiltrate the physical premises and/or manipulate OT controls for an entire factory.

Supply chain leaks extend beyond blueprint and manufacturing-related data: A brand’s law firm exposed HR letters related to employee contract termination, settlement agreement, termination emails and discussions which contained personally identifiable information (PII) of individuals associated with British and Indian manufacturers. Analysts also discovered confidential agreements on the sale of one brand to another company. Taken as a whole, these exposures could result in large legal liabilities and General Data Protection Regulation (GDPR) fines.

Critical incidents. During a data breach prevention scan, analysts selected 94 keywords representative of the 14 automotive manufacturers (such as brand names and references to engines, brakes and additional car-related terms). They found more than 60 million keyword matches with an estimated 800,000 alerts related to the brand names in documents hosted on exposed servers, clouds and databases. These led to 91 confirmed incidents, with 21 meriting “critical” reports.

Vulnerable assets. Asset discovery and monitoring efforts located more than 26,000 “shadow entry doors” on sensitive open ports or vulnerabilities that needed to be closed immediately or monitored closely. About 14,600 of the assets were found with a well-documented vulnerability which could grant access to a hacker regardless of security settings, and nearly 11,800 were on ports that were open without authentication.

Exposed credentials. Out of a sample group of 2.2 million automotive industry employees, about one in ten have exposed publicly accessible credentials online.

Automotive manufacturers will not “go in reverse” in the pursuit of digital innovation – they’re throttling in high gear as consumers increasingly demand and expect this in the interest of safety and the overall driving experience. Thus, the industry and its products will always rely on immense data usage, interconnectivity, supply chains and cloud-enabled capabilities to maintain a competitive advantage.

Yet, they must invest just as much into the protection of data assets due to the leaks and vulnerabilities created by this fast-driving, forward-moving technology momentum—especially with so many of the vulnerabilities hiding in plain sight. Otherwise, top industry brands could potentially encounter the kind of mega-cyberattacks that could “stall their car” for the indefinite future.

Avatar photo

Pauline Losson

Pauline Losson is the global director of analysts and cyber operations director at CybelAngel.

pauline-losson has 1 posts and counting.See all posts by pauline-losson